PostMend
PostMend blog

What is BitLocker, and why is it on by default?

BitLocker quietly encrypts the drive on most modern Windows 11 laptops. Here is what it actually does, why Windows switches it on for you, and what that means if anything ever goes wrong.

← Back to all articles
Abdullah Arif22 May 20266 min read

Most people only discover their laptop drive is encrypted at the worst possible moment — mid-repair, mid-reset, or after a BIOS update — when Windows suddenly halts with a blue screen demanding a 48-digit recovery key they have never seen before. The laptop is fine; the data is right there on the drive. But without that key, it might as well be behind a locked vault. BitLocker is the reason, and understanding what it does takes about five minutes.

What BitLocker actually does

BitLocker is Microsoft’s full-disk encryption technology. When it is active, every byte written to the drive is encrypted on the fly. Pull that drive out and put it in another machine — or attach it as a USB caddy — and you get nothing readable. The data is not deleted; it is scrambled in a way that requires the correct cryptographic key to unscramble it.

On most modern laptops, a small chip on the motherboard called the TPM (Trusted Platform Module) holds a portion of that key and releases it automatically when the machine boots normally. That is why you never notice anything — Windows unlocks the drive in the background during startup, and everything looks exactly as it always has. The protection only kicks in when something unexpected happens: someone steals the drive, swaps the motherboard, or changes low-level firmware in a way the TPM does not recognise.

If your laptop is lost or stolen, the thief cannot read your files by booting into Linux or plugging the drive into another PC. That is the whole point of the feature, and it does that job well.

The Device encryption toggle lives under Settings › Privacy & security on Windows 11.

Why it’s on by default now

Older versions of Windows left BitLocker off unless you went looking for it. That changed. From Windows 11 version 24H2 onwards, Microsoft enables Device Encryption — a simplified form of BitLocker available even on Home editions — automatically during clean installs and factory resets on qualifying hardware. Many new laptops shipping from Dell, Lenovo, HP, and others come with it active straight out of the box.

The trigger is signing in with a Microsoft account during setup. When you do that, Windows encrypts the drive and silently uploads a copy of your recovery key to your Microsoft account. In theory this is sensible: the key is somewhere safe and you can retrieve it at account.microsoft.com/devices/recoverykey. In practice, very few people know this happened, and fewer still have tested whether they can actually access it.

How to check if it's on

  1. Open Settings

    Press Windows + I to open Settings.

  2. Go to Privacy & security › Device encryption

    Select Privacy & security in the left-hand menu, then click Device encryption. If the toggle shows On, your drive is encrypted.

  3. On Windows Pro? Check via Manage BitLocker

    If you have Windows 11 Pro, Enterprise, or Education, type Manage BitLocker into the Start menu search bar. The panel shows the encryption status of every drive.

  4. Retrieve your recovery key

    If encryption is on and you signed in with a Microsoft account, visit account.microsoft.com/devices/recoverykey to check your key is there and make a note of it somewhere offline (a piece of paper kept away from the laptop is fine).

The catch

BitLocker is designed to detect unauthorised changes at a hardware or firmware level. When it sees something unexpected — a modified boot sequence, a different PCIe configuration, a motherboard swap — the TPM withholds the key and Windows asks for the recovery key before it will proceed. That is the security working exactly as intended.

The problem is that plenty of legitimate operations can trigger the same response: a BIOS update, a RAM upgrade that shifts memory mapping, a CMOS reset, or a motherboard-level repair. If the laptop then boots into that recovery screen and you do not have the key to hand, you are locked out. The drive is not damaged. The data is all there. But without the key there is no way to read it — not even for us.

Before any BIOS or firmware update, and before sending a laptop in for a motherboard-level repair, make sure you know where your BitLocker recovery key is. If you cannot find it before the work starts, retrieve it first — or temporarily suspend BitLocker from the Manage BitLocker panel (suspend, not disable, so encryption stays in place). Do not assume the key is somewhere safe without actually checking.

Should you turn it off?

Generally, no. Full-disk encryption is genuinely useful protection — particularly on a laptop that travels. If it goes missing on a train or gets lifted from a bag, whoever has it cannot read your files, your emails, your saved passwords, any of it. Disabling encryption to avoid the inconvenience of keeping track of a key is the wrong trade-off.

The better move is to spend five minutes confirming the key is safely backed up. Check your Microsoft account, save a copy somewhere sensible (a password manager, a printed sheet in a drawer), and you are done. After that the feature runs silently and you never need to think about it again — until something does go wrong, at which point you will be very glad you did.

If you want a step-by-step walkthrough for finding the key in different scenarios — Microsoft account, local account, work domain — our BitLocker recovery key guide covers each case. And if your laptop is heading in for a repair, it is worth knowing that we always ask customers about BitLocker before touching anything — if you have any questions before booking, drop us a message and we will talk you through it.

Need a hand with your Dell?

We diagnose every laptop free. Post it in and we'll take a look.

Get in touch
← All articles